Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Hairpinning?

Hi,

Is it possible to assign the IP address of same segment (172.17.8.0/24) to both interface (inside, outside). NATting is not used in this router.

The router is used as a Firewall to filter out the traffic according the ACL and just forward the traffic to ISP router.

Is this setup possible? If possible what is the draw back on this setup and will I face any problem in future?

If not possible, how to implement it in another way with using same segment IP address?

Attached diagram with more details.

12 REPLIES
Silver

Re: Hairpinning?

Hi,

If you are routing you cant have the same network on two interfaces.

You would need to look at deploying your router / firewall in a transparent mode. I.e. it is just a drop in at layer 2.

This depends on what hw and sw you are running though. Couldnt open the attachment. What are you running?

Cheers,

Tim

Silver

Re: Hairpinning?

Well you may need a router which is transparently bridging and acting as a firewall. You can use IRB and then turn on the CBAC on the router

This link should help you.

http://cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00805b8873.html

New Member

Re: Hairpinning?

Hi,

Thank you very much for reply.

I have tested the Transparent IOS Firewall and it works great.

As of now I have tested with icmp only.

The BVI1 is configured for remote access to the router for applying ACL and to monitor the router.

I have attached the test config and diagram.

Can you please check the config and see if I am missing any thing or some of the setups, which will not work in real environment.

Thank you.

Silver

Re: Hairpinning?

Well it looks fine to me however i myself havent worked a lot on this. I think the best thing would be to test in the network and see if it works.

New Member

Re: Hairpinning?

Hi,

Thank you very much for the help.

I`ll test it out with other applications and will let know the results.

Thank you.

New Member

Re: Hairpinning?

Hi,

I tested the Transparent IOS Firewall with other applications it is working well.

But first I faced little problem, initially I disabled the IP CEF and IP ROUTING and tested the Internet traffic, I was able to access the web sites, but after some time the router crashes and reloads and gives bus error messages.

Then I enabled the IP CEF and IP ROUTING and tested the Internet traffic; there was no problem with router and every thing worked fine.

Does ASA 5500 series Adaptive Security Appliance supports the Transparent Firewall?

Thank you.

Silver

Re: Hairpinning?

yes the asa also supportes transparent firewall

New Member

Re: Hairpinning?

Is there any link for explanation and config details for ASA?

Re: Hairpinning?

Sure... Please follow the link below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_book09186a0080450278.html

BTW, I'm impressed and glad to see the IOS Transparent Firewall, I only thought that ASA / PIX is having Transparent Firewalls.

Regards,

Wilson Samuel

New Member

Re: Hairpinning?

Hi,

I implemented the transparent firewall and it worked well.

But I faced problem in our backup line.

When our main line goes down, the ISP router re-routes the traffic to backup router.

The ping test from client to server in H.O worked perfectly thru backupline.

But the applications are not working.

The current setup is, the ISP router lan cable is directly connected to Transparent firewall interface (outside/wan side).

Transparent firewall interface (inside/lan side) is connected to L3 switch.

Backup line lan interface is connected to L3switch.

L3 switch default gateway is ISP router lan interface ip address.

All client pc`s default gateway is L# switch.

So when the main ISP line (wan) goes down, ISP router re-routes to backup line, as the application packets from client pc passes thru transparent firewall and ISP router forwards it to backup router.

But in transparent firewall, the sessions are already there and when the same packet enters the transparent firewall from wan side interface, I think it drops/blocks the packets.

Is it correct?

How to rectify this problem?

Is it OK if the backup router lan interface is shifted in-between to ISP router and transparent firewall, connecting all the three with a hub?

Thank you.

New Member

Re: Hairpinning?

attached diagram "bcakupline with hub"

Is it OK if the backup router lan interface is shifted in-between to ISP router and transparent firewall, connecting all the three with a hub?

Will the problem be solved with this setup?

New Member

Re: Hairpinning?

Any suggestions please ...

190
Views
24
Helpful
12
Replies